CODEWITHSUNDEEP
pythonmacossandboxcode-signingentitlements
Camon
Camon

Reputation: 1043

App sandboxing issue with Apple Mac app store

I am creating the entitlement keys for my app's sandbox. I'm having some issues with the entitlement key com.apple.security.temporary-exception.sbpl. There are five exceptions that I need to add to this key and they are ipc-posix-sem, file-issue-extension, mach-lookup, file-write-create, and file-read-data. Because I am making this application outside of Xcode (I'm using Python), I have to manually create the entitlement file. I already 'succeeded', but Apple doesn't seem to like my formatting.

Here is the original code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.temporary-exception.sbpl</key>
    <string>
            (begin
                (allow ipc-posix-sem)
                (allow file-issue-extension)
                (allow mach-lookup)
                (allow file-write-create)
                (allow file-read-data))
        </string>
</dict>
</plist>

After being rejected for com.apple.security.temporary-exception.sbpl, I made the following revision:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.temporary-exception.sbpl</key>
    <array>
        <string>(allow ipc-posix-sem)</string>
        <string>(allow file-issue-extension)</string>
        <string>(allow mach-lookup)</string>
        <string>(allow file-write-create)</string>
        <string>(allow file-read-data)</string>
    </array>
</dict>
</plist>

My question is this: Is my new formatting the correct way of using the .sbpl entitlement? After tasting my app, it works with this new entitlement file, now all I need to know is if it is acceptable for Apple.

I found two examples of entitlement files from here and here, and I believe my file is setup appropriately after looking at them.

Upvotes: 2

Views: 976

Answers (1)

Michael Dautermann
Michael Dautermann

Reputation: 89549

I found another Sandbox entitlements file in GitHub and your formatting looks correct to my eyes.

I think another problem may be is that you need to supply arguments after commands like "mach-lookup". I'm looking at the Apple Sandbox Guide unofficial documentation found here.

Upvotes: 1

Related Questions